aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorFabian Knittel <fabian.knittel@avona.com>2010-05-04 16:21:47 +0200
committerDavid Sommerseth <dazo@users.sourceforge.net>2010-10-21 21:26:42 +0200
commit8bebb729a53ae423d0867648f0c12868a96cafde (patch)
treeb893b8d7e6301a8bba2ccc5b9c68e621d4f976bc
parentRevamped the script-security warning logging (version 2) (diff)
downloadopenvpn-8bebb729a53ae423d0867648f0c12868a96cafde.tar.xz
ssl.c: fix use of openvpn_run_script()'s return value
This patch fixes two bugs introduced in commit 339f2a4d4b487afa53fa99d72c35b16f31e417d3 Author: David Sommerseth <dazo@users.sourceforge.net> Date: Thu Apr 29 23:35:45 2010 +0200 David's patch replaced openvpn_execve() with openvpn_run_script() in two places, but didn't adjust the return value handling. openvpn_run_script() returns true or false, while openvpn_execve() returns the program's exit code. Without the fix, the --tls-verify script and the --auth-user-pass-verify script fail to run. (I noticed the latter, but haven't actually tested the former.) The return value handling is fine for the other places where openvpn_run_script() is used, because those places previously used openvpn_execve_check() (notice the "_check" suffix). Signed-off-by: Fabian Knittel <fabian.knittel@avona.com> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Diffstat (limited to '')
-rw-r--r--ssl.c18
1 files changed, 5 insertions, 13 deletions
diff --git a/ssl.c b/ssl.c
index 71d1f34..cf4c7bf 100644
--- a/ssl.c
+++ b/ssl.c
@@ -992,21 +992,19 @@ verify_callback (int preverify_ok, X509_STORE_CTX * ctx)
gc_free(&gc);
}
- if (system_ok (ret))
+ if (ret)
{
msg (D_HANDSHAKE, "VERIFY SCRIPT OK: depth=%d, %s",
ctx->error_depth, subject);
}
else
{
- if (!system_executed (ret))
- argv_msg_prefix (M_ERR, &argv, "Verify command failed to execute");
msg (D_HANDSHAKE, "VERIFY SCRIPT ERROR: depth=%d, %s",
ctx->error_depth, subject);
goto err; /* Reject connection */
}
}
-
+
/* check peer cert against CRL */
if (opt->crl_file)
{
@@ -3299,7 +3297,6 @@ verify_user_pass_script (struct tls_session *session, const struct user_pass *up
struct gc_arena gc = gc_new ();
struct argv argv = argv_new ();
const char *tmp_file = "";
- int retval;
bool ret = false;
/* Is username defined? */
@@ -3342,16 +3339,11 @@ verify_user_pass_script (struct tls_session *session, const struct user_pass *up
/* format command line */
argv_printf (&argv, "%sc %s", session->opt->auth_user_pass_verify_script, tmp_file);
-
+
/* call command */
- retval = openvpn_run_script (&argv, session->opt->es, 0, "--auth-user-pass-verify");
+ ret = openvpn_run_script (&argv, session->opt->es, 0,
+ "--auth-user-pass-verify");
- /* test return status of command */
- if (system_ok (retval))
- ret = true;
- else if (!system_executed (retval))
- argv_msg_prefix (D_TLS_ERRORS, &argv, "TLS Auth Error: user-pass-verify script failed to execute");
-
if (!session->opt->auth_user_pass_verify_script_via_file)
setenv_del (session->opt->es, "password");
}